Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jickfoo
New Contributor

Fortinet to Checkpoint - P2 no go

banging my head against the wall trying to get a Fortinet 60E to get a tunnel up with my cluster of Checkpoint 23500s. The 60E's are in a home user environment (currently my test DSL) , and the outside interface is DHCP'ing a 192.168 address. Outbound traffic is doing NAT through to the Internet and to my head end checkpoints. I ran through a bunch of the VPN wizards (sadly there isnt one for checkpoint). Eventually I was able to get P1 to come up by configuring certificates for auth in both directions. P2 will not pop though and Im at a loss as to why. 

 

Below is my P2 config: 

AES / SHA 1 

PFS DH Group 2 

Key Lifetime 3600 seconds 

 

The wizard created a Tunnel Interface and some policies 

 

From                      TO                        SRC                                DST

FN_Internal Zone     Tunnel Int             Fort_Internal_Subnet        All 

Tunnel Int               FN_Internal Zone   All                                   Fortinet_Internal_Subnet

 

There is also a static route:  traffic destined for 0.0.0.0/0 send into the Tunnel Interface 

 

Can anyone help me identify whats going on ? Im at a loss. I know this can and does work for some. Seems like P1 just times out waiting for P2 ? There is plenty of traffic trying to head in both directions. Any help is appreciated. Thx. 

 

Below are the debug logs from the Fortinet Side ( heavily redacted ) : 

 

ike 0:TO_UCH:29::62: cfg-mode negotiation failed due to retry timeout ike 0:TO_UCH:29: send IKE SA delete 1df1f592a813719c/ecaa2bedcc912d0c ike 0:TO_UCH:29: enc *string-removed-for-security-reasons* ike 0:TO_UCH:29: out *string-removed-for-security-reasons* ike 0:TO_UCH:29: sent IKE msg (ISAKMP SA DELETE-NOTIFY): 192.168.1.65:4500->1.1.1.200:4500, len=92, id=*string-removed-for-security-reasons* ike 0:TO_UCH: connection expiring due to phase1 down ike 0:TO_UCH: deleting ike 0:TO_UCH: schedule auto-negotiate ike 0:TO_UCH: reset NAT-T ike 0:TO_UCH: deleted ike 0:TO_UCH: set oper down ike 0: cache rebuild start ike 0:TO_UCH: sending DNS request for remote peer fake.fake.edu ike 0: cache rebuild done ike 0: DNS response received for remote gateway fake.fake.edu ike 0: DNS fake.fake.edu -> 1.1.1.200 ike 0:TO_UCH: 'fake.fake.edu' resolved to 1.1.1.200 ike 0:TO_UCH: set remote-gw 1.1.1.200 ike 0: cache rebuild start ike 0:TO_UCH: cached as static-ddns ike 0: cache rebuild done ike 0:TO_UCH: auto-negotiate connection ike 0:TO_UCH: created connection: *string-removed-for-security-reasons* 5 192.168.1.65->1.1.1.200:500. ike 0:TO_UCH:30: initiator: main mode is sending 1st message... ike 0:TO_UCH:30: cookie *string-removed-for-security-reasons* ike 0:TO_UCH:30: out *string-removed-for-security-reasons* ike 0:TO_UCH:30: sent IKE msg (ident_i1send): 192.168.1.65:500->1.1.1.200:500, len=312, id=*string-removed-for-security-reasons* ike 0: comes 1.1.1.200:500->192.168.1.65:500,ifindex=5.... ike 0: IKEv1 exchange=Identity Protection id=*string-removed-for-security-reasons* len=128 ike 0: in *string-removed-for-security-reasons* ike 0:TO_UCH:30: initiator: main mode get 1st response... ike 0:TO_UCH:30: VID FRAGMENTATION *string-removed-for-security-reasons* ike 0:TO_UCH:30: VID draft-ietf-ipsec-nat-t-ike-02\n *string-removed-for-security-reasons* ike 0:TO_UCH:30: selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02\n ike 0:TO_UCH:30: negotiation result ike 0:TO_UCH:30: proposal id = 1: ike 0:TO_UCH:30: protocol id = ISAKMP: ike 0:TO_UCH:30: trans_id = KEY_IKE. ike 0:TO_UCH:30: encapsulation = IKE/none ike 0:TO_UCH:30: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128 ike 0:TO_UCH:30: type=OAKLEY_HASH_ALG, val=SHA. ike 0:TO_UCH:30: type=AUTH_METHOD, val=RSA_SIG. ike 0:TO_UCH:30: type=OAKLEY_GROUP, val=MODP1024. ike 0:TO_UCH:30: ISAKMP SA lifetime=86400 ike 0:TO_UCH:30: out *string-removed-for-security-reasons* ike 0:TO_UCH:30: sent IKE msg (ident_i2send): 192.168.1.65:500->1.1.1.200:500, len=228, id=*string removed for security reasons*/*string removed for security reasons* ike 0: comes 1.1.1.200:500->192.168.1.65:500,ifindex=5.... ike 0: IKEv1 exchange=Identity Protection id=*string-removed-for-security-reasons* len=491 ike 0: in *string-removed-for-security-reasons* ike 0:TO_UCH:30: initiator: main mode get 2nd response... ike 0:TO_UCH:30: received NAT-D payload type 130 ike 0:TO_UCH:30: received NAT-D payload type 130 ike 0:TO_UCH:30: NAT detected: ME ike 0:TO_UCH:30: NAT-T float port 4500 ike 0:TO_UCH:30: ISAKMP SA *string-removed-for-security-reasons* key 16:*string-removed-for-security-reasons* ike 0:TO_UCH: sending 1 CERTREQ payload ike 0:TO_UCH:30: local cert, subject='fnet0001.fake.com', issuer='Fake Issuing Authority' ike 0:TO_UCH:30: local CA cert, subject='Fake Issuing Authority', issuer='Fake Root Authority' ike 0:TO_UCH:30: local CA cert, subject='Fake Root Authority', issuer='Fake Root Authority' ike 0:TO_UCH:30: add INITIAL-CONTACT ike 0:TO_UCH:30: enc *string-removed-for-security-reasons* ike 0:TO_UCH:30: sent IKE msg (ident_i3send): 192.168.1.65:4500->1.1.1.200:4500, len=4364, id=*string-removed-for-security-reasons* ike 0: comes 1.1.1.200:4500->192.168.1.65:4500,ifindex=5.... ike 0: IKEv1 exchange=Identity Protection id=*string-removed-for-security-reasons*/*string-removed-for-security-reasons* len=1292 ike 0: in *string-removed-for-security-reasons* ike 0:TO_UCH:30: initiator: main mode get 3rd response... ike 0:TO_UCH:30: dec *string-removed-for-security-reasons* ike 0:TO_UCH:30: VID DPD *string-removed-for-security-reasons* ike 0:TO_UCH:30: peer identifier IPV4_ADDR 1.1.1.200 ike 0:TO_UCH:30: Validating X.509 certificate ike 0:TO_UCH:30: peer cert, subject='Fake VPN Certificate', issuer='ôÇÒV' ike 0:TO_UCH:30: peer ID verified ike 0:TO_UCH:30: building fnbam peer candidate list ike 0:TO_UCH:30: FNBAM_GROUP_NAME candidate 'Fake Cert' ike 0:TO_UCH:30: certificate validation pending ike 0:TO_UCH:30: certificate validation complete ike 0:TO_UCH:30: certificate validation succeeded ike 0:TO_UCH:30: signature verification succeeded ike 0:TO_UCH:30: established IKE SA *string-removed-for-security-reasons*/*string-removed-for-security-reasons* ike 0:TO_UCH:30: initiating mode-cfg pull from peer ike 0:TO_UCH:30: mode-cfg request APPLICATION_VERSION ike 0:TO_UCH:30: mode-cfg request INTERNAL_IP4_ADDRESS ike 0:TO_UCH:30: mode-cfg request INTERNAL_IP4_NETMASK ike 0:TO_UCH:30: mode-cfg request UNITY_SPLIT_INCLUDE ike 0:TO_UCH:30: mode-cfg request UNITY_PFS ike 0:TO_UCH:30: enc *string-removed-for-security-reasons* ike 0:TO_UCH:30: out *string-removed-for-security-reasons* ike 0:TO_UCH:30: sent IKE msg (cfg_send): 192.168.1.65:4500->1.1.1.200:4500, len=140, id=*string-removed-for-security-reasons*/*string-removed-for-security-reasons*:*string-removed-for-security-reasons* ike 0:TO_UCH:30: out *string removed for security reasons* ike 0:TO_UCH:30: sent IKE msg (CFG_RETRANS): 192.168.1.65:4500->1.1.1.200:4500, len=140, id=*string removed for security reasons*/*string removed for security reasons*:*string-removed-for-security-reasons* ike 0:TO_UCH:30: out *string removed for security reasons* ike 0:TO_UCH:30: sent IKE msg (CFG_RETRANS): 192.168.1.65:4500->1.1.1.200:4500, len=140, id=*string removed for security reasons*/*string removed for security reasons*:*string-removed-for-security-reasons* ike 0:TO_UCH: NAT keep-alive 5 192.168.1.65->1.1.1.200:4500. ike 0:TO_UCH:30: out FF ike 0:TO_UCH:30: sent IKE msg (keepalive): 192.168.1.65:4500->1.1.1.200:4500, len=1, id=*string removed for security reasons*/*string removed for security reasons*/*string removed for security reasons*/*string remov/ ike 0:TO_UCH:30: out *string removed for security reasons* ike 0:TO_UCH:30: sent IKE msg (CFG_RETRANS): 192.168.1.65:4500->1.1.1.200:4500, len=140, id=*string removed for security reasons*/*string removed for security reasons*:*string-removed-for-security-reasons* ike 0:TO_UCH: NAT keep-alive 5 192.168.1.65->1.1.1.200:4500. ike 0:TO_UCH:30: out FF ike 0:TO_UCH:30: sent IKE msg (keepalive): 192.168.1.65:4500->1.1.1.200:4500, len=1, id=*string removed for security reasons*/*string removed for security reasons*/*string removed for security reasons*/*string remov/ ike 0:TO_UCH:30: out *string removed for security reasons* ike 0:TO_UCH:30: sent IKE msg (CFG_RETRANS): 192.168.1.65:4500->1.1.1.200:4500, len=140, id=*string removed for security reasons*/*string removed for security reasons*:dbcc1b38 ike 0:TO_UCH: NAT keep-alive 5 192.168.1.65->1.1.1.200:4500. ike 0:TO_UCH:30: out FF ike 0:TO_UCH:30: sent IKE msg (keepalive): 192.168.1.65:4500->1.1.1.200:4500, len=1, id=*string removed for security reasons*/*string removed for security reasons*/*string removed for security reasons*/*string remov/ ike 0:TO_UCH: NAT keep-alive 5 192.168.1.65->1.1.1.200:4500. ike 0:TO_UCH:30: out FF ike 0:TO_UCH:30: sent IKE msg (keepalive): 192.168.1.65:4500->1.1.1.200:4500, len=1, id=*string removed for security reasons*/*string removed for security reasons*/*string removed for security reasons*/*string remov/ ike 0:TO_UCH: NAT keep-alive 5 192.168.1.65->1.1.1.200:4500. ike 0:TO_UCH:30: out FF ike 0:TO_UCH:30: sent IKE msg (keepalive): 192.168.1.65:4500->1.1.1.200:4500, len=1, id=*string removed for security reasons*/*string removed for security reasons*/*string removed for security reasons*/*string remov/ ike 0:TO_UCH: NAT keep-alive 5 192.168.1.65->1.1.1.200:4500. ike 0:TO_UCH:30: out FF ike 0:TO_UCH:30: sent IKE msg (keepalive): 192.168.1.65:4500->1.1.1.200:4500, len=1, id=*string removed for security reasons*/*string removed for security reasons*/*string removed for security reasons*/*string remov/ ike 0:TO_UCH:30::64: cfg-mode negotiation failed due to retry timeout ike 0:TO_UCH:30: send IKE SA delete *string removed for security reasons*/*string removed for security reasons* ike 0:TO_UCH:30: enc *string removed for security reasons* ike 0:TO_UCH:30: out *string removed for security reasons* ike 0:TO_UCH:30: sent IKE msg (ISAKMP SA DELETE-NOTIFY): 192.168.1.65:4500->1.1.1.200:4500, len=92, id=*string removed for security reasons*/*string removed for security reasons*:7e8a0b29 ike 0:TO_UCH: connection expiring due to phase1 down

 

1 REPLY 1
emnoc
Esteemed Contributor III

Hmm

 

ike 0:TO_UCH:30::64: cfg-mode negotiation failed due to retry timeout

 

I see mode cfg, are we using these in a same fashion as vpnclient? Can you  show the    fortigate phase1/2 cfg

 

e.g

 

 

show vpn ipsec phase1-interface < name>

show vpn ipsec phase2-interface < name>

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors